While last weekend was not particularly busy in terms of Infosec news, one thing that stood out was the identification and implementation of a new WPA attack.
The purpose of this blog article is to help you identify how your wireless infrastructure (personal or business) is affected by explaining the differences between existing attacks and this new attack.
TL;DR – The short version
The attacks we’re talking about are those targeting access points that have WPA/WPA2 security protocols (https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access), which are used by the majority of access points. This also only applies to access points using a “Pre-Shared-Key” (the password you enter to connect to your Wi-Fi network, for example). For enterprise networks (based on 802.1x), other attacks do exist, but they will not be covered in this article.
This new attack is based on the same principles of previous major attacks – a brute force attack to guess the password. In short, this attack differs from previous attacks because in those it was necessary to have a complete EAPoL exhchange, where authentification details from an actual user needed to be captured.
With this new attack, the brute force method no longer requires any kind of interaction, increasing the number of access points exposed to this attack.
However, if your password is strong enough (15 characters or more and containing different types of characters), you don’t need to worry about this new WPA attack.
Overview of existing WPA/WPA2 network attacks
Several access point attacks using WPA already exist:
- The recent KRACK vulnerability, which is based on an implementation flaw
- Attacks using WPS, or Wi-Fi Protected Setup (https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup), where a PIN is guessed, or a default PIN is tried, in an attempt to retrieve the PSK and connect to an access point
- Attacks based on intercepting wireless traffic and those allowing the arbitrary injection of packets
- Finally, the dictionary attack – the most common attack that applies to all WPA/WPA2 networks, where brute force methods are used to systematically try and break into a password protected network.
To understand the new attack identified by hashcat, we will dive deeper into the attack it is most similar to – the dictionary attack.
In short, the attack involves capturing a complete EAPOL (Extensible Authentication Protocol) exchange to recompose the PTK (Pairwise-Transient-Key), which can then be used for comparison to a password list.
The below diagram depicts an EAPOL exchange, with the client on the left and the access point on the right:
Figure 1 – EAPOL 4-Way handshake
In this exchange several data are exchanged. This allows the client to transmit a PTK key to the server.
But to understand this, we also need to understand what a PTK key is and how it is linked to passwords.
Figure 2 - Calculation of PTK (Pairwise-Transient-Key) from password
There are two stages::
- The key is passed to the PMK (Pairwise-Master-Key) and depends on the SSID (the name of the Wi-Fi network).
- The PMK is then passed on to the PTK, and is based on new information/elements.
As things stand, an attacker can force a client (if one is connected to the WPA network being attacked) to perform an additional authentication task.
The attacker will then capture the four exchanges and obtain the PTK. The PTK alone, however, is not enough to connect to a WPA network, as it is unique to each connection.
The attacker therefore needs to guess the password that corresponds to the captured PTK.
Once all the required elements have been collected, the attacker can use a precompiled list or dictionary to try and generate PMKs and PTKs until they have the right ones:
Figure 3 – Successful attack showing the retrieval of the PTK using the "Hakunamatata" password
Elements from the AirCrack suite (shown below) are often used for this:
As you can see, elements that are familiar to us are revealed – the PMK (master Key) and the PTK (Transcient Key).
The disadvantages of the technique explained above include that:
- A legitimate client is needed to capture a complete exchange
- The password in use must be weak enough, because the stronger the password is, the higher the number of processing operations will be required to move from a password to a PTK.
New attack based on the capture of a PMKID
The full details of the attack and methods used are detailed in the following article from the hashcat forum:
Figure 4 – Wireshark capture showing the capture of a PMKID
The PMKID is calculated as follows:
To break this down, the new attack consists of:
- Capturing this well-known PMKID
- Using a dictionary or list to calculate:
- A PMK corresponding to each password
- A PMKID corresponding to each PMK
- Comparing each calculated PMKID to the captured PMKID until a ‘match’ is found
We have drawn up a simple diagram of the attack using the diagram of a classic dictionary attack:
You can see that the concept doesn’t change much from the attack presented earlier in this article.
In addition, tools exist to ‘break’ the corresponding password of the access point.
Among those is hashcat:
Figure 5 – Password breakage (extract from the hashcat.net forum)
Will this attack change the world of wireless network security? Probably not.
It will, however, make dictionary attacks even easier, and will allow attackers to target WPA networks in a more stable and wider way.
It is also important to note that the article on the hashcat forum does not confirm that all equipment supports the sending of PMKIDs, but all those that were tested did support this.
This reinforces the need for the long-awaited WPA3 – a replacement for WPA/WPA2 personal network security.
But until WPA3 comes into use, the recommendation is to make sure that complex passwords are in use for WPA/WPA2 networks that use shared keys (PSKs). This will render dictionary attacks obsolete.
It is also good practice to disable the WPS to counter other network attack methods.